Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
9c708fdf
Commit
9c708fdf
authored
Jul 23, 2009
by
Staale Smedseng
Browse files
Options
Browse Files
Download
Plain Diff
Merge from 5.0
parents
2d716209
1e32574c
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
56 additions
and
21 deletions
+56
-21
include/violite.h
include/violite.h
+9
-1
sql/mysqld.cc
sql/mysqld.cc
+5
-2
vio/viosslfactories.c
vio/viosslfactories.c
+42
-18
No files found.
include/violite.h
View file @
9c708fdf
...
...
@@ -109,6 +109,14 @@ typedef my_socket YASSL_SOCKET_T;
#include <openssl/ssl.h>
#include <openssl/err.h>
enum
enum_ssl_init_error
{
SSL_INITERR_NOERROR
=
0
,
SSL_INITERR_CERT
,
SSL_INITERR_KEY
,
SSL_INITERR_NOMATCH
,
SSL_INITERR_BAD_PATHS
,
SSL_INITERR_CIPHERS
,
SSL_INITERR_MEMFAIL
,
SSL_INITERR_LASTERR
};
const
char
*
sslGetErrString
(
enum
enum_ssl_init_error
err
);
struct
st_VioSSLFd
{
SSL_CTX
*
ssl_context
;
...
...
@@ -124,7 +132,7 @@ struct st_VioSSLFd
struct
st_VioSSLFd
*
new_VioSSLAcceptorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
);
const
char
*
cipher
,
enum
enum_ssl_init_error
*
error
);
void
free_vio_ssl_acceptor_fd
(
struct
st_VioSSLFd
*
fd
);
#endif
/* HAVE_OPENSSL */
...
...
sql/mysqld.cc
View file @
9c708fdf
...
...
@@ -3651,14 +3651,17 @@ static void init_ssl()
#ifdef HAVE_OPENSSL
if
(
opt_use_ssl
)
{
enum
enum_ssl_init_error
error
=
SSL_INITERR_NOERROR
;
/* having ssl_acceptor_fd != 0 signals the use of SSL */
ssl_acceptor_fd
=
new_VioSSLAcceptorFd
(
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
opt_ssl_capath
,
opt_ssl_cipher
);
opt_ssl_cipher
,
&
error
);
DBUG_PRINT
(
"info"
,(
"ssl_acceptor_fd: 0x%lx"
,
(
long
)
ssl_acceptor_fd
));
if
(
!
ssl_acceptor_fd
)
{
sql_print_warning
(
"Failed to setup SSL"
);
sql_print_warning
(
"SSL error: %s"
,
sslGetErrString
(
error
));
opt_use_ssl
=
0
;
have_ssl
=
SHOW_OPTION_DISABLED
;
}
...
...
@@ -4300,7 +4303,6 @@ int main(int argc, char **argv)
select_thread
=
pthread_self
();
select_thread_in_use
=
1
;
init_ssl
();
#ifdef HAVE_LIBWRAP
libwrapName
=
my_progname
+
dirname_length
(
my_progname
);
...
...
@@ -4355,6 +4357,7 @@ we force server id to 2, but this MySQL server will not act as a slave.");
if
(
init_server_components
())
unireg_abort
(
1
);
init_ssl
();
network_init
();
#ifdef __WIN__
...
...
vio/viosslfactories.c
View file @
9c708fdf
...
...
@@ -73,9 +73,28 @@ report_errors()
DBUG_VOID_RETURN
;
}
static
const
char
*
ssl_error_string
[]
=
{
"No error"
,
"Unable to get certificate"
,
"Unable to get private key"
,
"Private key does not match the certificate public key"
"SSL_CTX_set_default_verify_paths failed"
,
"Failed to set ciphers to use"
,
"SSL_CTX_new failed"
};
const
char
*
sslGetErrString
(
enum
enum_ssl_init_error
e
)
{
DBUG_ASSERT
(
SSL_INITERR_NOERROR
<
e
&&
e
<
SSL_INITERR_LASTERR
);
return
ssl_error_string
[
e
];
}
static
int
vio_set_cert_stuff
(
SSL_CTX
*
ctx
,
const
char
*
cert_file
,
const
char
*
key_file
)
vio_set_cert_stuff
(
SSL_CTX
*
ctx
,
const
char
*
cert_file
,
const
char
*
key_file
,
enum
enum_ssl_init_error
*
error
)
{
DBUG_ENTER
(
"vio_set_cert_stuff"
);
DBUG_PRINT
(
"enter"
,
(
"ctx: 0x%lx cert_file: %s key_file: %s"
,
...
...
@@ -84,9 +103,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
{
if
(
SSL_CTX_use_certificate_file
(
ctx
,
cert_file
,
SSL_FILETYPE_PEM
)
<=
0
)
{
DBUG_PRINT
(
"error"
,(
"unable to get certificate from '%s'"
,
cert_file
));
*
error
=
SSL_INITERR_CERT
;
DBUG_PRINT
(
"error"
,(
"%s from file '%s'"
,
sslGetErrString
(
*
error
),
cert_file
));
DBUG_EXECUTE
(
"error"
,
ERR_print_errors_fp
(
DBUG_FILE
););
fprintf
(
stderr
,
"SSL error:
Unable to get certificate from '%s'
\n
"
,
fprintf
(
stderr
,
"SSL error:
%s from '%s'
\n
"
,
sslGetErrString
(
*
error
)
,
cert_file
);
fflush
(
stderr
);
DBUG_RETURN
(
1
);
...
...
@@ -97,9 +117,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
if
(
SSL_CTX_use_PrivateKey_file
(
ctx
,
key_file
,
SSL_FILETYPE_PEM
)
<=
0
)
{
DBUG_PRINT
(
"error"
,
(
"unable to get private key from '%s'"
,
key_file
));
*
error
=
SSL_INITERR_KEY
;
DBUG_PRINT
(
"error"
,
(
"%s from file '%s'"
,
sslGetErrString
(
*
error
),
key_file
));
DBUG_EXECUTE
(
"error"
,
ERR_print_errors_fp
(
DBUG_FILE
););
fprintf
(
stderr
,
"SSL error:
Unable to get private key from '%s'
\n
"
,
fprintf
(
stderr
,
"SSL error:
%s from '%s'
\n
"
,
sslGetErrString
(
*
error
)
,
key_file
);
fflush
(
stderr
);
DBUG_RETURN
(
1
);
...
...
@@ -111,12 +132,10 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
*/
if
(
!
SSL_CTX_check_private_key
(
ctx
))
{
DBUG_PRINT
(
"error"
,
(
"Private key does not match the certificate public key"
));
*
error
=
SSL_INITERR_NOMATCH
;
DBUG_PRINT
(
"error"
,
(
"%s"
,
sslGetErrString
(
*
error
)
));
DBUG_EXECUTE
(
"error"
,
ERR_print_errors_fp
(
DBUG_FILE
););
fprintf
(
stderr
,
"SSL error: "
"Private key does not match the certificate public key
\n
"
);
fprintf
(
stderr
,
"SSL error: %s
\n
"
,
sslGetErrString
(
*
error
));
fflush
(
stderr
);
DBUG_RETURN
(
1
);
}
...
...
@@ -229,7 +248,8 @@ static void check_ssl_init()
static
struct
st_VioSSLFd
*
new_VioSSLFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
,
SSL_METHOD
*
method
)
const
char
*
cipher
,
SSL_METHOD
*
method
,
enum
enum_ssl_init_error
*
error
)
{
DH
*
dh
;
struct
st_VioSSLFd
*
ssl_fd
;
...
...
@@ -251,7 +271,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
if
(
!
(
ssl_fd
->
ssl_context
=
SSL_CTX_new
(
method
)))
{
DBUG_PRINT
(
"error"
,
(
"SSL_CTX_new failed"
));
*
error
=
SSL_INITERR_MEMFAIL
;
DBUG_PRINT
(
"error"
,
(
"%s"
,
sslGetErrString
(
*
error
)));
report_errors
();
my_free
((
void
*
)
ssl_fd
,
MYF
(
0
));
DBUG_RETURN
(
0
);
...
...
@@ -265,7 +286,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
if
(
cipher
&&
SSL_CTX_set_cipher_list
(
ssl_fd
->
ssl_context
,
cipher
)
==
0
)
{
DBUG_PRINT
(
"error"
,
(
"failed to set ciphers to use"
));
*
error
=
SSL_INITERR_CIPHERS
;
DBUG_PRINT
(
"error"
,
(
"%s"
,
sslGetErrString
(
*
error
)));
report_errors
();
SSL_CTX_free
(
ssl_fd
->
ssl_context
);
my_free
((
void
*
)
ssl_fd
,
MYF
(
0
));
...
...
@@ -278,7 +300,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
DBUG_PRINT
(
"warning"
,
(
"SSL_CTX_load_verify_locations failed"
));
if
(
SSL_CTX_set_default_verify_paths
(
ssl_fd
->
ssl_context
)
==
0
)
{
DBUG_PRINT
(
"error"
,
(
"SSL_CTX_set_default_verify_paths failed"
));
*
error
=
SSL_INITERR_BAD_PATHS
;
DBUG_PRINT
(
"error"
,
(
"%s"
,
sslGetErrString
(
*
error
)));
report_errors
();
SSL_CTX_free
(
ssl_fd
->
ssl_context
);
my_free
((
void
*
)
ssl_fd
,
MYF
(
0
));
...
...
@@ -286,7 +309,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
}
}
if
(
vio_set_cert_stuff
(
ssl_fd
->
ssl_context
,
cert_file
,
key_file
))
if
(
vio_set_cert_stuff
(
ssl_fd
->
ssl_context
,
cert_file
,
key_file
,
error
))
{
DBUG_PRINT
(
"error"
,
(
"vio_set_cert_stuff failed"
));
report_errors
();
...
...
@@ -314,6 +337,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
{
struct
st_VioSSLFd
*
ssl_fd
;
int
verify
=
SSL_VERIFY_PEER
;
enum
enum_ssl_init_error
dummy
;
/*
Turn off verification of servers certificate if both
...
...
@@ -323,7 +347,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
verify
=
SSL_VERIFY_NONE
;
if
(
!
(
ssl_fd
=
new_VioSSLFd
(
key_file
,
cert_file
,
ca_file
,
ca_path
,
cipher
,
TLSv1_client_method
())))
ca_path
,
cipher
,
TLSv1_client_method
()
,
&
dummy
)))
{
return
0
;
}
...
...
@@ -344,12 +368,12 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
struct
st_VioSSLFd
*
new_VioSSLAcceptorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
)
const
char
*
cipher
,
enum
enum_ssl_init_error
*
error
)
{
struct
st_VioSSLFd
*
ssl_fd
;
int
verify
=
SSL_VERIFY_PEER
|
SSL_VERIFY_CLIENT_ONCE
;
if
(
!
(
ssl_fd
=
new_VioSSLFd
(
key_file
,
cert_file
,
ca_file
,
ca_path
,
cipher
,
TLSv1_server_method
())))
ca_path
,
cipher
,
TLSv1_server_method
()
,
error
)))
{
return
0
;
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment